Skip to content

EKS Ubuntu Server 20.04

Overview

This user journey guides you to install and verify the compatibility of Kuberarmor on EKS Ubuntu Server 20.04 by applying policies on Kubernetes workloads.

Step 1: Create a EKS Cluster

Install EKS CTL, AWS CLI, Helm tools

cat eks-config.yaml 
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: eks-ubuntu-cluster
  region: us-east-2
nodeGroups:
  - name: ng-1
    instanceType: c5a.xlarge
    amiFamily: "Ubuntu2004"
    desiredCapacity: 1
    volumeSize: 80
    ssh:
      allow: true
    preBootstrapCommands:
- "sudo apt install linux-headers-$(uname -r)"

Official Link: Sample eks-config.yaml

Note:

EKS suported image types:

  • Amazon Linux 2

  • Ubuntu 20.04

  • Ubuntu 18.04

  • Bottlerocket

  • Windows Server 2019 Core Container

  • Windows Server 2019 Full Container

  • Windows Server 2004 Core Container

  • Windows Server 20H2 Core Container

eksctl create cluster -f eks-config.yaml

Alt

aws eks --region us-east-2 update-kubeconfig --name eks-ubuntu-cluster

Alt

Step 2: Karmor Install

Install Karmor CLI:

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
karmor version
karmor install  

Alt

Karmor Verify:

kubectl get pods -n kube-system | grep kubearmor

Alt

Step 3: Kubearmor Policy

1. Create a nginx deployment

kubectl create deployment nginx --image nginx
kubectl get pods --show-labels

Alt

2. Explore the policy

cat nginx-kubearmor-policy.yaml 
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy
 # namespace: accuknox-agents # Change your namespace
spec:
  tags: ["MITRE", "T1082"]
  message: "System owner discovery command is blocked"
  selector:
    matchLabels:
      app: nginx # use your own label here
  process:
    severity: 3
    matchPaths:
      - path: /usr/bin/who
      - path: /usr/bin/w
      - path: /usr/bin/id
      - path: /usr/bin/whoami
  action: Block

Alt

3. Apply the policy

kubectl apply -f nginx-kubearmor-policy.yaml  
Alt

Note: Policy will work based on matched lables. Ex: (app: nginx)

4. Policy violation

kubectl exec -it nginx-766b69bd4b-8jttd -- bash  

Alt

5. Kubearmor SVC port forward to Monitor the logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

6. Verifying policy Violation logs

karmor log

Alt

Alt

Back to top